ARRIS & GDPR

27 Apr 2018

By Brad GorkaSr Director, Information Security & IT Governance

You've already heard about GDPR. In this blog, we'll cover what it is and what ARRIS is doing about it.

Next month, on May 25th, the European Union (EU) will begin enforcing new legislation that regulates the way companies handle people's personal data. These requirements are known collectively as the General Data Protection Regulation (GDPR). GDPR affects any company that handles the personal data of EU residents, regardless of where that company is located.

ARRIS is one such company, and we've been preparing for GDPR compliance for the past year. Conveniently, many of these regulations mirror proactive changes and best practices that ARRIS has already implemented throughout our organization. But in order to navigate this brand new and sweeping set of regulations, we've taken a comprehensive approach to compliance.

Exploration: We began working towards compliance a year ago by appointing a cross-functional team of experts to research GDPR and assess its potential scope throughout our business. ARRIS doesn't process much personal identifiable information from external sources, so our initial priority was employee data. We've since expanded our scope to include the limited set of affected ARRIS and Ruckus solutions and services.

Survey: Our GDPR team then conducted a quantitative survey with multiple stakeholders and obtained more than 36,000 data points to better understand the way we process information, mapping out the flow of personal & confidential data throughout our organization.

Management: We used the results from our survey to structure a framework for managing compliance—from monitoring and reviewing data to implementing key changes. We sourced leading software solutions to build compliance around our existing processes and incorporated established industry standards like ISO 27002. Finally, we consulted outside legal experts and privacy consultants to provide additional insights into compliance and validate our plans.

Education: We then began educating our internal audiences—including IT, HR, Legal, Product, Marketing, and Sales--on our recommended processes for GDPR training, review, and decision-making. We coordinated with external partners and vendors to ensure cooperation and continuity. And we shared our expertise and findings with other businesses and industry organizations.

Implementation: Today, we continue to audit our business, streamline processes and implement required changes. It is important to recognize that GDPR compliance is a journey, not a destination. Since the beginning of our GDPR initiative, we've not only identified our key areas of focus but have created business-specific tools and durable processes for managing the continual compliance of ARRIS systems within the new regulations. We plan to refine these approaches as we continue to improve the way we do business with our customers.